I came across this plug-in that started some alarm bells ringing. The add-on would help submit a website to web directories. The first 100 submissions are free, then you need to pay $20 via pay-pal (no other option) to get additional submissions.

This gave me the creeps! First install this plug-in and then do a payment via pay-pal...

Is there a way to test the plug-ins behavior or view the communication it has with the browser content and / or input devices (keyboard). I've thought of using a sniffer, then go to paypal and pretend to do the payment (with a wrong password) and see if any data is going any where else than pay-pal, however the add-on might be clever enough to wait for a later moment when it "legitimately" needs to communicate with base (retrieving additional directories).

What browser are you on? I ws developing an add-on to Chrome at one time and could turn on debug mode for the add-on. I'm not sure how that works though if the add-on is not yours. It probably depends on how the author has obfuscated (if at all) his code. A lot of add-ons are built using javascript.
–
mikeazoNov 16 '11 at 12:25

2

@mikeazo Good point, reverse engineering may be the way to go.
–
S.L. BarthNov 16 '11 at 12:45

Thanks mikeazo, the add-on is in chrome (they also have a firefox version). After investigation it is indeed just a small javascript "page" (never new add-ons were written like this). I didn't find anything shocking there, they're using the browser as a proxy to do the actual submissions, probably keeping them from being banned by the directories. Just to be safe I'll be using another browser without any add-ons when using pay-pal or on-line banking which I probably should have been doing all along.
–
Louis SomersNov 16 '11 at 14:32

3 Answers
3

Background. First off, I want to share with you some background about browser add-ins. There are two kinds of add-ins: extensions and plug-ins.

An extension is a Javascript-based add-on that gains partial access to your browser, but is (at least in Chrome) restricted by a browser sandbox.

A plug-in involves native executable code that gains much more intimate access to your browser, and is not restricted by any sandbox. For instance, Flash player is a plug-in.

Plug-ins are considerably more dangerous, because they have full access to your filesystem, full access to run programs on your machine, full access to your browser (and all web sites you visit, passwords, etc.); they can do anything you can do. Extensions are more limited in what they can do (at least in Chrome), and thus (in Chrome) are safer.

I suspect you are asking about an extension, not a plug-in. For instance, the extensions in the Chrome Gallery are extensions.

How to tell if it is safe. In general, there is no good way to tell if an extension is safe. You can look at reviews from other users (though this is not fully dispositive). You can look to see if the extension has been around for a while, has a significant number of users, and/or comes from a respected brand/company/developer (though this is only an indicator and certainly not a guarantee of security).

And, perhaps most importantly, in Chrome you can look at the permissions that the extension is requesting. This will tell you what information the extension will gain access to and what it could do, if it were malicious. A malicious extension will be constrained by its permissions, so the fewer the permissions, the lower the risk of the extension.

Further reading. For more information, I suggest that you read the following:

If you do not want spend time doing steps Andrew explained (reverse engineering) and really concerned about security - just assume all plugins are not safe unless they have solid, active user base and reputable author.

plugin you described does not sound safe for me :) If you absolutely have to use it - run in vmware to minimize possible loss and watch paypal acc.